2004 年 11 月
Macros in openssl source codemini openssl command line howtoCVS over SSH on different portTwo reference of pki4ipsec
Macros in openssl source code
日有所得 2004-11-23 09:30:52
你看到代码中某个地方用了一个Marco,想找它的原型,你发现ctags帮不上忙,grep -r 也一无所获,想得通怎么回事吗?
crypto/pem/pem.h
#define PEM_STRING_X509_TRUSTED "TRUSTED CERTIFICATE"/home/wayman/src/openssl-0.9.7e/crypto/pem/pem_xaux.c:68:
#define IMPLEMENT_PEM_rw(name, type, str, asn1) \
IMPLEMENT_PEM_read(name, type, str, asn1) \
IMPLEMENT_PEM_write(name, type, str, asn1)
#define IMPLEMENT_PEM_read(name, type, str, asn1) \
IMPLEMENT_PEM_read_bio(name, type, str, asn1) \
IMPLEMENT_PEM_read_fp(name, type, str, asn1)
#define IMPLEMENT_PEM_write(name, type, str, asn1)
IMPLEMENT_PEM_write_bio(name, type, str, asn1) \
IMPLEMENT_PEM_write_fp(name, type, str, asn1)
#define IMPLEMENT_PEM_read_bio(name, type, str, asn1) \
type *PEM_read_bio_##name(BIO *bp, type **x, pem_password_cb *cb, void *u) \
{ return((type *)PEM_ASN1_read_bio((char *(*)())d2i_##asn1, str,bp, \
(char **)x,cb,u)); }
IMPLEMENT_PEM_rw(X509_AUX, X509, PEM_STRING_X509_TRUSTED, X509_AUX)Now this marco is expanded to 4 functions:
X509 * PEM_read_bio_X509_AUX(BIO *bp, X509 **x, pem_password_cb *cb, void *u)and ``grep -r PEM_read_bio_X509_AUX '' will get nothing :-(
{
return (X509 *)PEM_ASN1_read_bio((char *(*)())d2i_X509_AUX,
"TRUSTED CERTIFICATE", bp, (char **)x, cb, u);
}
...
mini openssl command line howto
日有所得 2004-11-23 09:34:09
$Id: openssl.txt,v 1.1 2004/11/19 08:14:16 wayman Exp $
0. install openssl
tar xzvf openssl-0.9.7e.tar.gz
cd openssl-0.9.7e
./config --prefix=$HOME
make
make test
make install
export PATH=$HOME/bin:$PATH
1. prepare CA path structure
cd ~/ssl
mkdir FakeCA
cd FakeCA
mkdir certs
mkdir newcerts
mkdir crl
mkdir private
touch index.txt
echo 01 > serial
vi ../openssl.cnf # change demoCA, policy, filename of key and root cert
# note: you can use ./demoCA of course ...
2. create key and root cert
openssl genrsa -out private/ca.key -des3 2048
openssl req -new -x509 -days 3650 -out ca.crt -key private/ca.key -notext
3. sign sub ca cert
cd ~/tmp
openssl req -new -keyout ca2.key -out ca2.req -days 3650
openssl ca -days 3650 -notext -extensions v3_ca -out ca2.crt -infiles ca2.req
rm ca2.req
4. use sub ca key to sign web server cert
openssl req -new -keyout waking.key -out waking.req -days 3650
openssl ca -days 3650 -notext -keyfile ca2.key -cert ca2.crt -out waking.crt
-infiles waking.req
rm waking.req
#now waking.key and waking.crt can be use in apache
other tips ============
o test cert use s_server
openssl s_server -accept 8443 -key my.key -cert my.crt -www
use browser to access https://server:8443
o test https web site use s_client (retrive remote cert)
openssl s_client -connect host:port
o revoke
openssl ca -revoke newcerts/01.pem
openssl ca -gencrl -out crl/fakeca.crl
o password
openssl passwd MySecret #generate crypt-style password, eg. used in cvs
N8eFL9uEhdHQU
openssl passwd MySecret -salt N8 #salt is the first 2 letter
N8eFL9uEhdHQU
CVS over SSH on different port
日有所得 2004-11-24 22:51:22CVS server side
1. Create `guest' account, don't give him a normal shell!
# useradd -s /sbin/nologin guest
2. Generate public-private keys for guest account
# mkdir ~guest/.ssh
# cd ~guest/.ssh
# ssh-keygen -t dsa -f guest-on-cvsserver.key
# cat guest-on-cvsserver.key.pub >> authorized_keys
# chown -R guest:guest .
# chmod 700 .
# chmod 600 authorized_keys
CVS client side
1. Put guest-on-cvsserver.key in ~/.ssh/, and
$ chmod 700 ~/.ssh
$ chmod 400 ~/.ssh/guest-on-cvsserver.key
2. Append following lines to ~/.ssh/config
Host cvsserver
Hostname cvsserver.hostname.or.ip
Port 22222
User guest
PreferredAuthentications publickey
IdentityFile ~/.ssh/guest-on-cvsuser.key
3. Use cvs over SSH (I mean OpenSSH!)
CVS_RSH=ssh cvs -d :ext:cvsuser@cvsserver:/cvs co module_name
Two reference of pki4ipsec
日有所得 2004-11-27 20:23:30
Profiling Use of PKI in IPSEC (pki4ipsec)http://www.ietf.org/html.charters/pki4ipsec-charter.html
Requirements for an IPsec Certificate Management Profilehttp://www.ietf.org/internet-drafts/draft-bonatti-pki4ipsec-profile-reqts-01.txt
0 Comments so far